Question

write a minimum 5 page technical research paper on a topic of your choice related to computer security. The paper must be in APA format (google APA 6 sample or template for Word, you will find many resources on how to format the paper). Please write 5 pages.

Topic:  Authenticating & Account Management

Answer 1

Definition: Authentication is the process of recognizing a user’s identity. It is the mechanism of associating an incoming request with a set of identifying credentials. The credentials provided are compared to those on a file in a database of the authorized user’s information on a local operating system or within an authentication server.

Description: The authentication process always runs at the start of the application, before the permission and throttling checks occur, and before any other code is allowed to proceed. Different systems may require different types of credentials to ascertain a user’s identity. The credential often takes the form of a password, which is a secret and known only to the individual and the system. Three categories in which someone may be authenticated are: something the user knows, something the user is, and something the user has.

Authentication process can be described in two distinct phases - identification and actual authentication. Identification phase provides a user identity to the security system. This identity is provided in the form of a user ID. The security system will search all the abstract objects that it knows and find the specific one of which the actual user is currently applying. Once this is done, the user has been identified. The fact that the user claims does not necessarily mean that this is true. An actual user can be mapped to other abstract user object in the system, and therefore be granted rights and permissions to the user and user must give evidence to prove his identity to the system. The process of determining claimed user identity by checking user-provided evidence is called authentication and the evidence which is provided by the user during process of authentication is called a credential.

Account management is one of the most important aspects of an organization’s security posture. Not only do the decisions affect how users interact with their network and systems, but account management embodies many key security principles. Therefore, understanding the range of account types as well as how to employ and manage each is a foundational skill of Security+ professionals. This article explores the various account types, account policy enforcement mechanisms, and other concepts that must be mastered on the path to the CompTIA Security+ certification.

Account Types

No matter what applications or systems you are using, when you log in with your credentials, your username is assigned a level of authority and access to functions, resources, and data. While these permissions are handled behind the scenes, each user is associated with one of several account types. A user account holds the most limited amount of access to a system, but it is also the level that the vast majority of users have. A user level account often prevents the installation of new applications, changes to global settings or rules, and limits other functions or files, focusing on core business functionality.

A shared account, sometimes known as a generic account, is one that can be utilized by more than one assigned user. This account type is often used by teams that share similar functions – known as group-based access – or by casual users that need access to a system in a limited capacity. While shared accounts allow for flexibility, they also introduce challenges, including the inability to tie a specific person to an action made while logged in. Each person with access to the generic account can also access the same functions and files as everyone else, which could lead to data integrity issues. Some organizations also utilize guest accounts, which are temporary and for specific, legitimate work needs user such as consultants, interns, or auditors.

Service accounts, however, control the privileges and functions of an application. Through service accounts, applications only have access to specific functions and data based on their function and needs. This account type provides a nice balance between complete system-wide permission and fine-tuned privileges based on the exact needs of the software by granting access, permissions, and rights in a completely custom fashion.

Administrative functions of a system that require global access – whether they be management, maintenance, or monitoring – are accomplished using a privileged account. Not for everyday tasks, privileged accounts should be defined for each administrative user and should be paired with a standard account, so other services such as email or internet browsing cannot interfere with administrative functions. Privileged accounts should be defined for each administrative role and system within an organization, allowing for separation of duties and preventing too much power being placed in too few accounts.

Account Management Concepts

Coupled with defining the right level of access a user needs are a range of account management concepts. The principle of least privilege is a guideline that grants a user the least amount of access, permissions, and privileges needed for them to perform their work. The assignment of privileges should also be periodically audited for misalignment between a user’s needs or role, their level of access, and usage to check for changes, privilege creep as jobs change, or the need to deactivate accounts.

Offboarding users who no longer need access to a system is just as important as following best practices when establishing an account. Some organization utilize a standard naming convention for consistency and organization to help with this, which can also help users to remember their username or easily identify the types of services within a system. User rights can also be defined by location-based policies that permit access based on geographic requirements or time-of-day restrictions that help to prevent unauthorized access outside of defined time boundaries.

Account recertification refers to several account management principles. First, recertification refers to performing a periodic assessment of a user’s responsibilities against their account permissions and rights, confirming the principle of least privilege. Recertification can also verify if a user has the proper level of skill or knowledge to have access to a certain account type. Finally, recertification of an IT system’s account management controls can also occur, validating if a system can adhere to proper levels of account security.

Account Policy Enforcement

Just because all users have the right level of access and account type to meet their business function does not mean an organization is as secure as it could be. That’s where account policy enforcement comes into play.

Credential management is an overall service that stores, manages, and often audits logins of user credentials in a central location, offered to both individuals and enterprise networks. Using credential management tools eases the overall administrative burden, allowing for the local or cloud-based credential storage for a range of accounts within one digital container. This functionality is different than a group policy in Windows systems, which allows for an administrator to maintain consistent configuration and security settings set as group policy objects that activate when users log in.

Other passwords policies can be established across an enterprise to contribute to a sound security posture. Password complexity, which dictates the character and length requirements, is often paired with expiration and password history rules that set parameters on when passwords need to be changed (a good rule of thumb is 90 days) and when a password can be reused, if at all. Account lockout is another policy that automatically disables an account when a certain threshold of incorrect passwords are used to log in, requiring a user to recover access to their account with a new password or by satisfying other requirements, such as security questions. Combined, these policies can help to prevent brute force password cracking or limit risk if a password is exposed.